Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Principles & Practices

Published byCaroline Dorsey Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Security Principles & Practices"— Presentation transcript:

1 Network Security Principles & Practices
By Saadat Malik Cisco Press 2003

2 – Chapter 3 – Device Security
A device is a node helping to form the topology of the network. A compromised device may be used by the attacker as a jumping board. A DoS attack may be launched against a device. Network Security

3 Two aspects of device security
Physical security Placing the device in a secure location Logical security Securing the device against nonphysical attacks Network Security

4 Physical security Considerations: Using redundant devices?
Network topology (serialized, star, fully meshed?) Where to place the network devices? Media security (wire tapping, physical eavesdropping) Adequate/uninterrupted power supply disasters Network Security

5 Device Redundancy Means of achieving redundancy:
A backup device (router, switch, gateway, …) is configured to take over the functionality of a failed active device. Means of achieving redundancy: Use routing to enable redundancy Use a redundancy protocol Hot Standby Router Protocol (HSRP) Virtual Router Redundancy Protocol (VRRP) Failover protocols Network Security

6 Cisco Command Reference
Cisco IOS Commands Master List, Release 12.2 Network Access Security Commands Configuration Guide for the Cisco Secure PIX Firewall Version 6.0: PIX Command Reference: Note: A PDF file may be downloaded from the above sites. Cisco Command Summary: Other useful sites: Windows Administration Support Portal Network Security

7 EIGRP (used in Example 3-1)
IGRP: Cisco’s Interior Gateway Routing Protocol EIGRP: Enhanced IGRP A router running EIGRP stores all its neighbors' routing tables so that it can quickly adapt to alternate routes. If no appropriate route exists, EIGRP queries its neighbors to discover an alternate route. These queries propagate until an alternate route is found. To enable EIGRP on the router you simply need to enable eigrp and define a network number. This is done as follows: Router# conf t Router(config)# router eigrp 1 Router(config-router)# network Network Security

8 Routing-enabled Redundancy
To set up routing in such a way that the routing protocols converge to one set of routes under normal conditions, and a different set of routes when some of the devices fail. (floating) static routes with varying weights: example 3-1 Dynamic routing protocols: e.g., Routing Information Protocol (RIP) Network Security

9 Dynamic routing using RIP
Alternative paths are used when the normal path fails. Fig. 3-3 Network Security

10 HSRP Host Standby Routing Protocol proprietary (Cisco)
A host uses a IP address as its default gateway. A virtual router is set up for that IP: a pair of IP and MAC addresses The addresses are ‘taken’ by a set of routers configured with HSRP One of the routers is designated as the active router. When the active router fails, one of the standby routers takes ownership of the IP and the MAC addresses. Network Security

11 HSRP HSRP group (aka. standby group) election protocol
Packet format of HSRP messages: Fig. 3-4 Messages: hello, coup hello, resign How HSRP provides redundancy? Fig. 3-5 (next slide) A virtual IP is shared between router A and B, so when B becomes the active router, no change of default gateway IP is needed in the end hosts. Network Security

12 Example HSRP Implementation Fig. 3-5
Network Security

13 HSRP Drawback: not very secure
The authentication field contains a password that is transmitted as clear text. c.f., VRRP provides better security. Network Security

14 VRRP Virtual Router Redundancy Protocol RFC 2338, RFC 3768 (4/04):
ftp://ftp.rfc-editor.org/in-notes/rfc3768.txt Non-proprietary (unlike HSRP) an election protocol that dynamically assigns responsibility for a virtual router to one of the VRRP routers on a LAN (the master router) The election process provides dynamic fail over in the forwarding responsibility should the Master become unavailable. allows any of the virtual router IP addresses on the LAN to be used as the default first hop router by end-hosts. Network Security

15 VRRP When is the master router considered down? The election process:
The master router periodically sends out an advertisement message that contains an advertisement interval. Each backup router uses a timer to decide when the master router is down. The election process: When a backup router detects that the master router is down, it sends an advertisement message with its own priority value in it. The backup router with the highest priority value becomes the new master router. Network Security

16 VRRP Question: How if an attacker injects a fake VRRP advertisement message (possibly with very high priority value) into the network? Would it then be elected to be the new master router? The answer: VRRP security features Three authentication methods No authentication Simple clear-text passwords Strong authentication (using IP authentication with MD5 HMAC) Q: What’s the Implication? Shared key A mechanism that protects against VRRP packets being injected from a remote network sets TTL = 255 Network Security

17 VRRP RFC2338 (4/1998), obsoleted by RFC3768 (R. Hinden, Ed; April 2004) ftp://ftp.rfc-editor.org/in-notes/rfc3768.txt Network Security

18 Failover Protocol Cisco PIX firewall
The functionality of a failed firewall is taken over by a standby firewall. See chapter 8 for details Network Security

19 Security of major devices
Next: Router security Firewall security Network Security

Download ppt "Network Security Principles & Practices"

Similar presentations

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Chapter 2 – Single Area OSPF Single Area OSPF Link State Routing.

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Chapter 2 – Single Area OSPF Single Area OSPF Link State Routing.
To Infinity & Beyond If you use HSRP Modified from the instructor bridge materials and covered in “Scaling Networks” chapter 2 curriculum - by Mark Anderson.

To Infinity & Beyond If you use HSRP Modified from the instructor bridge materials and covered in “Scaling Networks” chapter 2 curriculum - by Mark Anderson.
RIP V2 CCNP S1(5), Chapter 4.

RIP V2 CCNP S1(5), Chapter 4.
Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.

Routing Basics By Craig Lindstrom. Overview Routing Process Routing Process Default Routing Default Routing Static Routing Static Routing Dynamic Routing.
Copyright 2002 Year 2 - Chapter 5/Cisco 3 - Module 5 Routing Protocols: IGRP By Carl Marandola.

Copyright 2002 Year 2 - Chapter 5/Cisco 3 - Module 5 Routing Protocols: IGRP By Carl Marandola.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts – Chapter.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 Routing Working at a Small-to-Medium Business or ISP – Chapter 6.
Implementing Layer 3 High Availability

Implementing Layer 3 High Availability
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—6-1 Implementing Layer 3 High Availability Configuring Layer 3 Redundancy with HSRP.
Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.

Understanding Layer 3 Redundancy. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2 Upon completing this lesson, you will be able.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L6 1 Implementing Secure Converged Wide Area Networks (ISCW)
IST 228\Ch5\IP Routing1. 2  Review of Chapter 4 Start the router simulator. You will see the prompt Router>. This is the user mode prompt. Change the.

IST 228\Ch5\IP Routing1. 2  Review of Chapter 4 Start the router simulator. You will see the prompt "Router>". This is the user mode prompt. Change the.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Network Layer Network Fundamentals – Chapter 5 Sandra Coleman, CCNA, CCAI.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Network Layer Network Fundamentals – Chapter 5 Sandra Coleman, CCNA, CCAI.
Enhanced IGRP (EIGRP) EIGRP Characteristics. EIGRP Configuration. Verifying EIGRP.

Enhanced IGRP (EIGRP) EIGRP Characteristics. EIGRP Configuration. Verifying EIGRP.
Each computer and router interface maintains an ARP table for Layer 2 communication The ARP table is only effective for the broadcast domain (or LAN)

Each computer and router interface maintains an ARP table for Layer 2 communication The ARP table is only effective for the broadcast domain (or LAN)
Distance Vector Protocols

Distance Vector Protocols
Chapter 12 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Read a routing table  Configure a static route 

Chapter 12 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Read a routing table  Configure a static route 
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Adjust and Troubleshoot Single- Area OSPF Scaling Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Adjust and Troubleshoot Single- Area OSPF Scaling Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Routing Dynamically Routing Protocols Assist. Prof. Pongpisit.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Routing Dynamically Routing Protocols Assist. Prof. Pongpisit.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Distance Vector Routing Protocols Routing Protocols and Concepts –

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Distance Vector Routing Protocols Routing Protocols and Concepts –

Similar presentations

Ads by Google